We are implementing a claims-based approach to security for our enterprise applications. I've been looking at the built-in support (with System.IdentityModel) as well as Windows Identity Foundation (WIF) but it doesn't look like either support Silverlight applications. I realize that SL4 doesn't support IPrincipal et al, but that shouldn't mean we can't still do claims-based auth.
Am I missing samples or documentation showing how to do so in SL4 or am I left to a home-grown solution?
I recently discovered that the latest version of the WIF Training Kit contains a sample application showing how to integrate WIF into a Silverlight client. It includes a version of the WIF IdentityModel code compiled against the Silverlight runtime. While not an ideal or even long-term solution, it gets me going.
Have a look at this by Dominic:
http://www.leastprivilege.com/UsingSilverlightToAccessWIFSecuredWCFServices.aspx
or this:
http://social.msdn.microsoft.com/Forums/en/Geneva/thread/fe890df3-8815-4d05-b293-d3c87f32e9e0
Related
I am in need of a solution for using ADFS 3.0 identities in a ASP.NET Core 2 Web Api application. The Windows Enterprise Support team at my organization has informed me that they are only familiar with SAML or WS-Fed based relying parties within ADFS, and are not interested in allowing me to help them configure OAuth, which I could consume directly within the application. As far as I am aware, neither SAML nor WS-Fed are compatible with anything currently available targeting netcore or netstandard.
I've been looking at Identity Server 4, and it's so-called "Federation Gateway" functionality, but I can't find much in the way of documentation. Is this something that could be useful for my use case? I'm guessing that it's only set up to interface via OAuth or OpenID, but I could be wrong.
I've also looked at using Amazon Cognito as the middleman to issue JWTs based on the SAML response, but after I got a proof of concept working with this configuration, I realized the cost at $0.45/MAU is prohibitively high, as the application will have around 10-15k regular users.
If Identity Server isn't the solution, are there any other similar "Federation Gateway" type solutions available as preferably open source/free software? Even if the solution wasn't .NET-based, I'd be interested in looking at it. I'm toying with the idea of building something like this in Java or Ruby as a last resort.
As of version 2.0, IDS4 can be a WS-Fed relying party. This would allow it to act as a middleman between ADFS and OIDC/OAuth RPs.
This vid from the IDS4 guys covers the available options: https://vimeo.com/254635632
It's also worth noting that you can run ADFS 2016 servers in a 2008R2 or higher domain and that natively supports OpenID Connect but given what you've said about your internal "support" team, deploying IDS4 may be a better option, although probably more work.
Just for completeness, the issue with WS-Fed was cyptographic support in .NET Core. This is now resolved so WS-Fed is supported.
SAML support is available via Sustainsys or Rock Solid Knowledge.
You can implement SAML 2.0 federation with AD FS 3.0 in ASP.NET Core 2.1 using the ITfoxtec Identity Saml2 package. NuGet package: https://www.nuget.org/packages/ITfoxtec.Identity.Saml2.MvcCore/
Project https://itfoxtec.com/IdentitySaml2 and code samples https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/tree/master/test
Windows Identity Foundation (WIF) is around for a while, may be 5 to 7 years or more!, now Microsoft made WIF part of .net framework (4.5) itself. As we know WIF is a middleware for building identity aware applications.
As the trend on the web technology is changing, we have now need to incorporate multiple other identity providers (Google, Facebook etc.), in our application.
Now the industry got other Middleware technologies like OWIN, ASP.NET Identity etc.,
My Question,
Is still the WIF relevant and do we need to consider using it for new projects?
Or
Do we need to implement OWIN as alternative middleware? (As I understand Microsoft is betting on OWIN / KATANA moving forward).
Please share your thoughts.
For new projects I highly recommend considering Katana and ASP.NET 5 OWIN middleware.
WIF remains supported as part of the .NET framework, however we stopped adding new features long ago - all the innovation has been poured in Katana and OWIN middleware in general. Also, we like to think that the OWIN middleware is significantly easier to use :) Again, if your project has legacy aspects that impose the use of WIF, you can go ahead knowing we'll support you: but if you have any chance of choosing, the OWIN middleware is the best path moving forward.
Totally agree with #vibronet but to answer the question - yes - still relevant.
There's a ton of WIF out there - I support lots of customers who still use it.
OWIN is easier to use but the nice thing about WIF is that everything is in the web.config so the details are more explicit and easier to change. However, that comes at the cost of a fairly steep learning curve.
Refer: OWIN : Differences with WIF and WIF : Wrappers around protocols.
As per the links:
"You can think of OWIN as MVC and WIF as Forms. Forms are still supported but all the new whizzy features and all the code samples relate to MVC.
It's important to note the neither OWIN nor WIF are protocols - they are the wrappers around the protocols. The protocols underneath both are identical."
Also consider we have moved some of the functionality of WIF into an open source project we refer to as Wilson. You can check it out here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
I have a scenario whereby i need to build a WCF service to provide custom authentication to 3rd parties non-web application connecting in an "Active" mode - i.e. i cannot present a web login page.
The login mechanism is also custom (i.e. not necessarily username/password), and so i cannot use ADFS or ACS.
I have read up on building active STS using WCF, but they mostly relate to .NET 3.5 and not much has been written around using .NET 4.5 since WIF has been integrated into the framework.
I have read Examples of how to a STS in .Net 4.5 using WCF but it doesn't seem to fit my scenario.
Any pointers appreciated.
Maybe you want to have a look at
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
This is an open source STS that includes active endpoints.
I'm looking for Examples of how to a STS in .Net 4.5 using WCF.
So the scenario is I have a MVC 4 web app that I want to write an STS to authenticate and get claims that stores its data in the traditional SqlMembershipProvider database schema that we all know and love.
I'm guessing the STS could be a simple WCF service.
I've googled around but can only find stuff that shows how to do all this when the WIF was separated from the Core Framework. I.e. before it was embedded in .Net 4.5
Writing your solution may not be as easy as you expect it to be. Have a look at https://github.com/thinktecture/Thinktecture.IdentityServer.v2 which is a .NET STS. I guess using it will suffice in your case and it is very actively developed.
We currently have a half a dozen of project which originally have been built using .NET Framework 1.1 and WSE 2.0. But Microsoft's support for WSE is lacking and the latest version of it (3.0) only targets .NET Framework 2.0. Our new projects will use .NET Framework 3.5 and instead of hacking our self a WSE-support, we are currently looking for alternative approaches.
Our current projects use WSE to digitally sign the SOAP-messages with a X.509 certificate. This is what we require also for our future projects.
It seems that going with the WCF-route seems to be the smart choice but is there any alternatives? WCF seems to support X.509 certifications but we are little worried of its support for other platforms than .NET. Our clients need to be able to use Java-based software to connect to out services. And they've stated that it should be as easy as it has been before (when we were using Web Services). So WCF must be configured to use HTTP and SOAP.
Given the requirements of X.509, cross-platform interoperability and ease of use (HTTP & SOAP), is Windows Communication Foundation the right solution?
Yes WCF is the solution - it is API for building Web services and it is interoperable if you don't use MS/.NET specific features. But you should be aware that sometimes there are some problems with porting WSE services to WCF. I recommend to build very simple service in WSE (like Hello World) and secure it with certificates in the same way as real services. Then create Jave client to consume the service. After that replace WSE service with WCF. It will be your proof of concept. In a case of problems you can easily share this solution here or on MSDN to get some help.